Stored Cross-Site Scripting in Smash Balloon Photo Feed Plugin for WordPress
CVE-2025-4583

5.4MEDIUM

What is CVE-2025-4583?

The Smash Balloon Social Photo Feed plugin for WordPress is vulnerable to a Stored Cross-Site Scripting issue due to inadequate input validation and output escaping in the data-plugin attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to embed malicious scripts within pages. When users access those pages, the scripts will execute in their browsers, potentially compromising user data and site integrity.

Affected Version(s)

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin * <= 6.9.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Asaf Mozes
.
The Cyber Security Vulnerability Database.